Original article ISPreview UK:Read More
The national telecoms regulator, Ofcom, has today confirmed that it will ban UK phone operators from leasing Global Titles (GTs) – numbers like +44 (for the United Kingdom) that support mobile services – to third parties. Sadly, such leasing can be misused to try and intercept messages and calls, disrupt the operation of networks and track the location of users of other networks.
According to Ofcom, a small number of operators have been leasing their Global Title numbers to third parties, which can also be done to facilitate the provision of legitimate mobile services. But the regulator has previously found that this can make it easier for bad actors to abuse the system. As a result, +44 Global Titles are “one of the most significant and persistent sources of malicious signalling“ – an issue that affects mobile networks globally.
The National Cyber Security Centre (NCSC) is also aware that +44 Global Titles have been exploited for malicious purposes, such as location tracking and the interception of SMS (text messages) used for 2-step verification (2SV) to target both UK residents and populations globally.
The fact that those who intend to cause harm can lease, rather than own, these numbers mean that they can also hide their identities with greater ease, allowing them to “work in the shadow of legitimate communications networks“.
The industry has attempted to tackle these problems itself, such as via the GSMA Global Title Leasing Code of Conduct and controls implemented by some Global Title lessors (e.g. signalling firewalls that block unauthorised message types and monitoring tools). But Ofcom stated that those efforts “have not been effective” and so they’ve opted to ban the leasing of Global Titles with immediate effect (details).
Natalie Black, Ofcom’s Group Director for Networks and Comms, said:
“We are taking world-leading action to tackle the threat posed by criminals gaining access to mobile networks.
Leased Global Titles are one of the most significant and persistent sources of malicious signalling. Our ban will help prevent them falling into the wrong hands – protecting mobile users and our critical telecoms infrastructure in the process.”
Just to be clear. The ban on entering new leasing arrangements is effective immediately. But for leasing that is already in place, the ban will come into force on 22nd April 2026. The aim of the latter is to “give legitimate businesses who currently lease Global Titles from mobile networks time to make alternative arrangements“.
The only exception to the above deadline relates to two specific migration journeys, which have been given until 22nd October 2026 to adapt. “We received detailed evidence on the significant challenges arising from the changes to network functionality associated with these migration journeys which distinguish them from others. We also have no evidence of misuse associated with the use of the relevant Global Titles,” said Ofcom.
The decision should help to improve the reputation of UK mobile numbers, by making them harder to abuse. However, this approach ideally needs to be followed by regulators in other countries, in other to be fully effective. Such things are often easier said than done, internationally speaking.
Just to get a bit technical. The issue above specifically relates to the Signalling System No. 7 (SS7) protocol suite, which is used by 2G and 3G mobile networks (not 4G, which uses the Diameter protocol) to facilitate the provision of mobile services (e.g. authenticating handsets to the network, setting up and terminating calls, sending SMS messages, subscriber profile management and to facilitate roaming).
The above consultation is thus about the security risks arising from SS7 signalling associated with GTs formed from +44 mobile numbers. But users of 4G and 5G networks can also be affected by malicious SS7 signalling because 2G and 3G networks operate alongside 4G and 5G networks, providing fallback coverage in areas where 4G or 5G coverage is not yet available.